Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

ISO 27001:2022 Annex A Control 5.17

Authentication information

Annex A control 5.17 of the 2022 version of the ISO 27001 standard can be mapped to ISO27001:2013 Annex A 9.2.4, ISO27001:2013 Annex A 9.3.1, and ISO27001:2013 Annex A 9.4.3

Annex 5.17 focuses on keeping authentication information secure. This requires organisations to take steps to protect user credentials like security questions and passwords. Businesses also need to make sure that users can securely access systems with their credentials, and that these credentials can, when necessary, be reset.

Entry to systems containing sensitive information is accessed via encryption keys, card chips, passwords and other authentication details. In the event of poor handling, these details can lead to unauthorised data systems access, resulting in the loss of confidentiality and data integrity.

How to allocate information access

Control 5.17 outlines six requirements for the administration of authentication information that businesses must adhere to. These are:

  1. When new users are enrolled, their passwords and personal identification numbers must not be reasonably possible to guess. Each new user should have a unique password that is changed after its initial use.
  1. Organisations require key processes in place to verify user identities before issuing new or replacement authentication information.
  2. Organisations should ensure the secure transmission of authentication details to individuals through secure channels, avoiding the use of insecure electronic messages like plain text.
  3. Users must confirm receipt of their authentication details.
  4. Organisations must promptly change default authentication details after installing new IT systems and software.
  5. Organisations must maintain records of all significant events related to the allocation and management of authentication information. These records should be kept private using authorised methods of record-keeping.

What are the user responsibilities?

To make sure data remains secure, those with access must adhere to certain guidelines, outlined in control 5.17. These are:

  • Users must keep authentication information, such as passwords, confidential. When multiple users share authentication information, they must ensure it is not disclosed to unauthorised individuals.
  • If password confidentiality is compromised, the password must be changed immediately.
  • Passwords must be strong, complex and difficult to guess.
  • A single password must not be reused across different services or platforms.
  • Employees must acknowledge their responsibility for creating and using passwords in their employment contracts.

Password management systems

Annex 5.17 also outlines guidelines for organisations to adhere to when setting up a password management system. These are:

  • Users can create and modify passwords with a verification procedure to detect and correct any errors.
  • Organisations should follow industry best practices when developing a robust password selection process.
  • Users should change default passwords upon first accessing systems.
  • Change passwords when necessary, such as after a security incident or when an employee departs.
  • Previous passwords should not be reused.
  • Passwords that are widely known or compromised in a data breach should not be used.
  • When entering passwords, they should be displayed in plain text on screen.
  • Passwords should be stored and transmitted securely.

What’s different from ISO 27001:2013?

The requirements across both the 2013 and 2022 versions are very similar, but the more recent control introduced a requirement that was not present in 2013. Now, organisations must create and maintain a record of all significant events associated with authentication information. These records should remain secure and confidential at all times.

Organisations must also now include password requirements in their employee contracts.